The locations and layouts of U.S. military bases in countries like Syria and Afghanistan have been revealed by Strava heatmaps …

NordVPN

Strava allows users to capture maps of the routes followed while carrying out exercise like jogging, which are publicly visible if set to Public rather than Private. The most popular routes in any given area then form heatmaps, which effectively reveal not only the locations of military bases, but effectively create digital maps of their layouts.

The Washington Post says that while heatmaps are harmless in urban areas, they can be a major security risk in war zones.

In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around […]

“Big OPSEC [operations security] and PERSEC [personal security] fail,” tweeted Nick Waters, a former British army officer who pinpointed the location of his former base in Afghanistan using the map. “Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.”

Much of the data is likely to have been uploaded from Fitbit devices, which military personnel are encouraged to use as part of a fitness regime.

The security risk was first identified by Nathan Ruser.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

Nathan Ruser, who is studying international security and the Middle East, found out about the map from a mapping blog […]

“I wondered, does it show U.S. soldiers?” Ruser said, and he immediately zoomed in on Syria. “It sort of lit up like a Christmas tree.”

Both the U.S. military and Strava say they are addressing the problem.

The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations […]

Strava issued a statement overnight saying that it is “committed to working with military and government officials to address sensitive areas that might appear.” An earlier company statement had urged its subscribers to check their privacy settings and provided a link to a site that explained how to do that.

While the specific risk of Strava heatmaps is more easily recognized with the benefit of hindsight, I agree with my colleague Michael Potuck who observed that it’s surprising soldiers on postings in sensitive areas are allowed to keep location services switched on on their personal devices. There are many apps that automatically include location data in their uploads.

Guides

About the Author

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels published to date, and an SF novella series coming in March 2017.